Active Directory Compromise: The Complete Recovery Playbook

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Active Directory compromise is the central objective in most ransomware attacks and advanced persistent threat intrusions. An attacker with domain admin privileges can extract the NTDS.dit database, dump all domain password hashes, create persistent backdoor accounts, establish malicious group policy objects, and forge Kerberos tickets that remain valid for years.
Recovery from AD compromise requires more than resetting compromised account passwords. This playbook covers the complete sequence: confirming the scope of compromise, executing the KRBTGT double-reset procedure that invalidates golden tickets, auditing persistent backdoors, validating AD trust relationships, and the decision framework for forest rebuild versus in-place recovery.
Confirm the scope of compromise before beginning recovery
Recovery steps vary significantly depending on what the attacker achieved. Beginning recovery actions before scoping the compromise leads to incomplete remediation.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
The KRBTGT double-reset procedure
The KRBTGT account password must be reset twice, with a minimum of 10 hours between resets, to invalidate all outstanding golden tickets. A single reset is insufficient because the first reset changes the current password but the previous password is still retained for Kerberos compatibility — golden tickets signed with the old key remain valid until the second reset removes the previous password value.
The 10-hour wait is critical. The default Kerberos ticket lifetime is 10 hours. After the first KRBTGT reset, tickets signed with the old key that are currently in use throughout the domain will expire naturally within 10 hours. After 10 hours, all legitimate tickets have been reissued against the new key. The second reset then removes the retained old key, invalidating any golden tickets that were forged before the first reset.
Failing to complete the second reset leaves forged golden tickets valid for up to 10 years.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Remove attacker persistence
After invalidating golden tickets, remove all persistence mechanisms the attacker may have established. The KRBTGT reset invalidates existing forged tickets but does not remove backdoor accounts, malicious GPOs, or other persistence.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Forest rebuild decision framework
In-place recovery (the procedure above) is appropriate when the scope of compromise is well-understood and contained. Forest rebuild from scratch is necessary when confidence in the integrity of the AD environment cannot be restored.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
The bottom line
Active Directory compromise recovery has a defined technical sequence, but executing it correctly requires confidence in the scope of what the attacker achieved and the discipline to complete all steps — including the second KRBTGT reset that many incomplete recovery efforts skip. An incomplete AD recovery that leaves one backdoor account, one malicious GPO, or a golden ticket still in circulation results in re-compromise from the same attacker, often within days of the initial recovery. The KRBTGT double-reset and a complete privileged account audit are not optional steps — they are the core of the recovery.
Frequently asked questions
What is a Kerberos golden ticket and why is it so dangerous?
A Kerberos golden ticket is a forged Ticket Granting Ticket (TGT) signed with the KRBTGT account's password hash. Because it is signed with the domain's master Kerberos key, all Kerberos infrastructure in the domain treats it as legitimate. An attacker with the KRBTGT hash can create a ticket for any user, with any group membership, valid for any duration (up to 10 years by default). It provides persistent, unrestricted access to all Kerberos-authenticated services in the domain and survives account password resets — because the ticket is authenticated against the KRBTGT key, not the impersonated user's key.
Why does KRBTGT need to be reset twice?
Active Directory retains the KRBTGT account's previous password for Kerberos compatibility — to allow in-flight tickets signed with the previous key to complete their lifetime without causing authentication errors domain-wide. After the first reset, golden tickets signed with the old key remain valid against the retained previous password. After the 10-hour Kerberos ticket lifetime expires, legitimate tickets have been reissued against the new key. The second reset removes the retained previous password, eliminating the last key the golden ticket was valid against.
How long does Active Directory recovery take?
In-place recovery of a confirmed AD compromise — including KRBTGT double reset with the 10-hour wait, privileged account audit and cleanup, persistence removal, and validation — takes 24 to 48 hours minimum in a mid-size environment. Forest rebuild takes 48 to 96 hours or more depending on environment size and complexity. Both timelines assume AD expertise is available. Engaging external IR specialists typically reduces recovery time and increases confidence in completeness.
Sources & references
- Microsoft AD Forest Recovery Guide
- CISA MS-ISAC AD Security Best Practices
- Mandiant: Recovering Active Directory After a Compromise
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
